Forensic Blogs

An aggregator for digital forensics blogs

by

Internet of Things at Magnet User Summit 2019

INTRODUCTION

During the first week of April, I had the privilege of attending the Magnet User Summit in Nashville, Tennessee. Previously held as a separate training right before or after EnFuse in Las Vegas, the Magnet User Summit is a two day conference put on by Magnet Forensics. It features talks and hands on labs covering a wide gamut of topics within the field of digital forensics. I’m grateful for the chance to attend as the keynotes and lecture sessions were all enjoyable. I learned so much about the field of digital forensics directly from industry professionals.

INTERNET OF THINGS FORENSICS

One of the favorite sessions I attended was actually my first session, which was “Internet of Things Forensics”, presented by Jon Rajewski, the director of the LCDI. During the roughly hour long talk, Jon talked about a number of popular Internet of Things (IoT) devices, including the Amazon Echo, Facebook Portal, and the Nest suite of smart home devices. Jon went into detail about each of the devices and his findings about them as a forensic investigator.

One of the more intriguing products Jon discussed was the Facebook Portal.  Jon found that the Facebook Portal ran Android and accessed Facebook via a web portal rather than an application like on our phones. He went into detail about several IoT devices and showed the findings from the LCDI. The culmination of this work is an IoT artifact reference which they’ll release for open use. Through attending Jon’s talk, I learned a lot about the inner workings of IoT devices and their true security.

CONCLUSION

As the Magnet User Summit drew to a close, it was bit bittersweet to leave. Besides the fact that Nashville neared 75 degrees unlike Burlington, I had an incredible opportunity to learn. I gained more knowledge about digital forensics and networked with industry professionals! I am incredibly thankful to Champlain College, the LCDI, and Magnet Forensics for the opportunity to attend this year’s summit. Hopefully I’m able to attend another conference next year!

 

Blog written by Champlain College‘s Jackson Wajer.

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Internet of Things at Magnet User Summit 2019 appeared first on The Leahy Center for Digital Investigation.

by

Magnet User Summit 2019: Solving Cyber Crimes with the University of Notre Dame

Mitch Kajzer presented this talk at the Magnet User Summit. He is the director of the Cyber Crimes Unit in St. Joseph County, Indiana, and also an adjunct professor at Notre Dame. He talked about the changing nature of digital forensic investigations and how police agencies need to adapt. Technology is now involved in most crimes because each person has an average of 4.3 internet-connect devices. Typically major cases get forensic attention which prevents some digital forensics exams from happening. If they do, some have backlogs and wait times of months to years. The solution in St. Joseph County was to enlist the help of college students.

Partnering with the University of Notre Dame

Mitch talked about the partnership that the Cyber Crimes Unit has with the University of Notre Dame. They have a paid internship where students of any major train and receive background education in digital forensics and get to work in the Cyber Crimes Unit.

All students are sworn police investigators who work on the same cases officers work on. They provide analysis on digital devices, write search warrants, execute them, and even appear in court. Students are involved in 95% of the cases in the department, are primary investigators in about a third of these cases, and conduct 65% of all digital examinations. Mitch said that the students leverage AXIOM a lot for their investigations, and helps to create portable cases to show the digital analysis results to the officer/detective assigned to the case.

Since starting, St. Joseph County’s Cyber Crime Unit has gone from a turnaround of fourteen days and a backlog of thirty cases, to now having a turnaround of only four hours and no backlog at all. Students are having a direct impact on the digital investigations, and are solving cases by themselves. In addition, most of the intern workforce has been women, which is awesome for getting more women into this field. I asked Mitch at the end of the presentation whether or not there was a legal implication for all this. Does the evidence students find hold up in court? He told me there have been no implications because of the extensive training and certification all interns receive.

Conclusion

I think this model is really amazing and can clearly change the way digital investigations are done within police departments. I hope the country catches on to what incredible work is coming from the partnership between Notre Dame and St. Joseph County’s Cyber Crime Unit. I also think it would be interesting to see this model implemented in Burlington itself with Champlain students, especially those working at the Leahy Center for Digital Investigation (LCDI). The LCDI already does investigative work, but I think that if there was a partnership with the Burlington Police Department, it would help students gain real-life experience while helping out the local community.

 

Blog written by Champlain College fi-year Madi Brumbelow.

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Magnet User Summit 2019: Solving Cyber Crimes with the University of Notre Dame appeared first on The Leahy Center for Digital Investigation.

by

Data Recovery Blog 2

Putting Hard Drives to the Test

At the LCDI, we believe your data is important, and surely most would agree. The pictures of your family vacation are important, but what about your passwords? The hard drives that are in most computers store your data, leaving it open for anyone with the proper knowledge to find it and use it if not disposed of properly. This is not a new problem, as online computer news articles from almost 20 years ago described past experiences of people who purchased old hard drives and discovered the data of the last user.

The foundation of our goal is to ensure an understanding of deleting and storing data. Through our research, we have found free and available data recovery programs and sleuth kits to check data drives. Our investigation required a set of samples to test our techniques and programs. We bought a myriad of used hard drives from all over the internet. These previously belonged to other people, so it’s likely that remnants of the past user are still on them. The majority of online sources claim the drives they sell are clean “wiped”, but we’ll put that to the test. How clean can a hard drive be and what do these standards look like?

Using Sleuth Kits to Recover Data

In our last blog post, we explored the National Institute of Standards and Technology and the Department of Defense’s deletion standards which would be a clear indicator of security. The drives we purchased allow us to explore the effectiveness of each method compared to each other. After we’ve used the wiping standards, we must test the ease at which someone could recover the deleted data. In the lab, we have been busy looking at the Sleuth Kit tools to get that job done. The software we use is freeware and open ware, ensuring availability without special permission or a fee.

We have gone through a variety of software already, including Autopsy and Wise Data Recovery, two professionally used Sleuth Kits.

Autopsy examining deleted files

In the above image, we have pulled up a sample image file in Autopsy. In this sample, the previous user had deleted 10 images. The tool used a computer image file to carve data present but unlabeled, which we could then review.  The image file we loaded contained the deleted files. Although the computer preserved the data of the file, it lost the links for the file system to access it. These deleted files turned out to be various jpgs of different colors and text. The tool carved the data left within the computer and presented it to us similarly to the sample image below.

Wise Data Recovery loading files

Though this program is not as in depth as Autopsy, Wise Data Recovery was still able to get a good amount of information. This program allowed us to scan the Local C Drive, and we were able to load the files into the program for research and investigation.

These programs are used in professional settings and are free to download. However, the question arises: if these are available to everyone, what does that mean for your data? Anyone who has a computer and a way to attach your drive could snoop through your old data, which is the exact reason we work to share this information. What’s more alarming is these two programs don’t show the full extent of the files that could collect your data. There is no way to be sure that the next person will not have the ability to collect your data, or even how much they could gleam from the drive. 

Exploring Physical Drives and Virtual Machines

The recovery of data is very accessible and it should be taken into account when deleting data. In the coming weeks, we look forward to working with the physical drives and exploring the techniques and depth of data that can be extrapolated from something as small as a picture.

To stay updated with our progress, check out our Twitter, Instagram, and Facebook.

The post Data Recovery Blog 2 appeared first on The Leahy Center for Digital Investigation.